AndroidAPS icon indicating copy to clipboard operation
AndroidAPS copied to clipboard

Published 20 hours ago verified publisher icon MilosKozak

It's possible to export settings with locked preferences

Open MilosKozak opened this issue 4 years ago • 2 comments

MilosKozak avatar Mar 17 '20 15:03 MilosKozak

Would it be safe to:

  1. allow export but not include the settings_password key so that it isn't so easy to recover the password
  2. disable import without a passcode

That would I think prevent it easily being removed while at the same time allowing someone to still backup the settings. Otherwise we could end up in a situation where a user with a passcode can't easily backup their objectives.

Removing the settings_password from the export file also prevent the 'parent' from accidentally leaving a file on the device with the passcode in it if they did do an export.

twain47 avatar Mar 17 '20 17:03 twain47

Passwords (including settings_password) are never stored in plain text.

The way the password is stored (HMAC) make it difficult to being recovered from exported preferences. Moreover - whole exported file is already encrypted, so first - attacker would need to brute-force master password in order to read raw preferences there, where he will find only hash of password!

dlvoy avatar May 11 '20 17:05 dlvoy